ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for - PowerPoint PPT Presentation

ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

❯ ❉ Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( ≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc) 2 / 14

Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( ≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc) Edwards curves vs Montgomery curves ❯ faster EC-arithmetic ❉ more memory is required 2 / 14

Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( ≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc) Edwards curves vs Montgomery curves ❯ faster EC-arithmetic ❉ more memory is required Difficult to run Edwards-ECM fast on memory-constrained devices This presentation: slightly faster , memory efficient Edwards ECM 2 / 14

Edwards Curves (based on work by Euler & Gauss) Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined ( ad ( a − d ) � = 0) ax 2 + y 2 = 1 + dx 2 y 2 and ( ax 2 + y 2 ) z 2 = z 4 + dx 2 y 2 2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Edwards Curves (based on work by Euler & Gauss) Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined ( ad ( a − d ) � = 0) ax 2 + y 2 = 1 + dx 2 y 2 and ( ax 2 + y 2 ) z 2 = z 4 + dx 2 y 2 Elliptic Curve Point Addition { a = − 1: 8M a = − 1 , z 1 = 1: 7M Elliptic Curve Point Duplication: a = − 1: 3M + 4S 2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Elliptic Curve Method (ECM) Try and factor n = p · q with 1 < p < q < n . Repeat: Pick a random point P and construct an elliptic E over Z / n Z containing P Compute Q = kP ∈ E ( Z / n Z ) for some k ∈ Z If # E ( F p ) | k (and # E ( Z / q Z ) ∤ k ) then Q and the neutral element become the same modulo p p = gcd( n , Q z ) In practice given a bound B 1 ∈ Z : k = lcm (1 , 2 , . . . , B 1 ) H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987. 4 / 14

Elliptic Curve Method (ECM) Try and factor n = p · q with 1 < p < q < n . Repeat: Pick a random point P and construct an elliptic E over Z / n Z containing P Compute Q = kP ∈ E ( Z / n Z ) for some k ∈ Z If # E ( F p ) | k (and # E ( Z / q Z ) ∤ k ) then Q and the neutral element become the same modulo p p = gcd( n , Q z ) In practice given a bound B 1 ∈ Z : k = lcm (1 , 2 , . . . , B 1 ) √ � O (exp(( 2 + o (1))( log p log log p )) M (log n )) where M (log n ) represents the complexity of multiplication modulo n and the o (1) is for p → ∞ . H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987. 4 / 14

EC-multiplication Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w -bit windows 4(2 w − 1 ) + 4 + 2 # R 14 D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology ePrint Archive, Report 2008/016 D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010 5 / 14

EC-multiplication Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w -bit windows 4(2 w − 1 ) + 4 + 2 # R 14 � # A / bit → 0 , Performance #( S + M ) /bit ≈ 8-9 B 1 → ∞ # R → ∞ → (3M + 4S) / bit D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology ePrint Archive, Report 2008/016 D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010 5 / 14

GMP-ECM B1 #S #M #S+#M 256 1 066 2 025 3 091 512 2 200 4 210 6 400 1 024 4 422 8 494 12 916 12 288 53 356 103 662 157 018 49 152 214 130 417 372 631 502 262 144 1 147 928 2 242 384 3 390 312 1 048 576 4 607 170 9 010 980 13 618 150 EECM-MPFQ ( a = − 1) 256 1 436 1 608 3 044 512 2 952 3 138 6 090 1 024 5 892 6 116 12 008 12 288 70 780 67 693 138 473 49 152 283 272 260 372 543 644 262 144 1 512 100 1 351 268 2 863 368 1 048 576 6 050 208 5 306 139 11 356 347 6 / 14

GMP-ECM B1 #S #M #S+#M # R 256 1 066 2 025 3 091 14 512 2 200 4 210 6 400 14 1 024 4 422 8 494 12 916 14 12 288 53 356 103 662 157 018 14 49 152 214 130 417 372 631 502 14 262 144 1 147 928 2 242 384 3 390 312 14 1 048 576 4 607 170 9 010 980 13 618 150 14 EECM-MPFQ ( a = − 1) 256 1 436 1 608 3 044 38 512 2 952 3 138 6 090 62 1 024 5 892 6 116 12 008 134 12 288 70 780 67 693 138 473 1 046 49 152 283 272 260 372 543 644 2 122 262 144 1 512 100 1 351 268 2 863 368 9 286 1 048 576 6 050 208 5 306 139 11 356 347 32 786 6 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1 ? 7 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1 ? B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992. Observation: Low Hamming-weight integers → fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by ≈ a factor three 7 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1 ? B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992. Observation: Low Hamming-weight integers → fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by ≈ a factor three 1028107 · 1030639 · 1097101 = 1162496086223388673 w (1028107) = 10 , w (1030639) = 16 , w (1097101) = 11 , w (1162496086223388673) = 8 7 / 14

Elliptic Curve Constant Scalar Multiplication We try the opposite approach ( c ( s ) := # A in the addition chain) Generate integers s with “good” D / A ratio � Test for B 1 -smoothness and factor these integers s = ˆ s i i J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastECPP. Algorithmic Number Theory 2004 8 / 14

Elliptic Curve Constant Scalar Multiplication We try the opposite approach ( c ( s ) := # A in the addition chain) Generate integers s with “good” D / A ratio � Test for B 1 -smoothness and factor these integers s = ˆ s i i J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastECPP. Algorithmic Number Theory 2004 Combine integers s j such that � � � � s i = ˆ s i , j = k = lcm (1 , . . . , B 1 ) = p ℓ i i j ℓ i.e. all the ˆ s i , j match all the p ℓ � � s i , j ) < c ′ ( � � s i , j ) = c ′ ( k ) Such that c ( s i = ˆ ˆ i j i j 8 / 14

Addition/subtraction chain Addition/subtraction chain resulting in s a r = s , . . . , a 1 , a 0 = 1 s.t. every a i = a j ± a k with 0 ≤ j , k < i Avoid unnecessary computations Only double the last element A 3 , 0 , D 0 , D 0 , D 0 → (3 , 2 , 2 , 2 , 1) vs A 1 , 0 , D 0 → (3 , 2 , 1) Only add or subtract to the last integer in the sequence ( Brauer chains or star addition chains ) This avoids computing the addition of two previous values without using this result 9 / 14

Addition chains with restrictions Reduce the number of duplicates Idea : Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication Generation Start with u 0 = 1 (and end with an ± ), � 2 u i u i +1 = u i ± u j for j < i and u i ≡ 0 �≡ u j mod 2 10 / 14

Addition chains with restrictions Reduce the number of duplicates Idea : Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication Generation Start with u 0 = 1 (and end with an ± ), � 2 u i u i +1 = u i ± u j for j < i and u i ≡ 0 �≡ u j mod 2 Given A EC-additions and D EC-duplications this approach generates � D − 1 � · A ! · 2 A integers A − 1 10 / 14

Brauer chains vs Restricted chains ( A = 3 , D = 50) 140 · # Restricted chain ≈ # Brauer chain 1 . 09 · uniq (# Restricted chains ) ≈ uniq (# Brauer chains ) No storage Only add or subtract the input � D − 1 � · 2 A Less integers are generated: A − 1 11 / 14